skip to main content

Infrastructure Services

Developer Resources

Authentication/Authorization Services

Enabling access to your application/service

By enabling your service to authenticate users via CAS or Shibboleth, web application developers are able to delegate the administrative overhead associated with account and password management.

Limiting access to your application/service

Applicants and parents and former students. Not quite lions and tigers and bears, but oh my!

A very large and diverse group of people are eligible for Texas A&M NetID accounts. If you enable your application or resource to use a central authentication service usch as CAS or Shibboleth and provide no mechanism to filter users, anyone with a NetID will be able to access your service. (For information about who is eligible for NetID accounts and how the accounts/passwords are managed, see the Identity Management section.)

So how will you authorize access to your service? The answer to that question is going to depend on the target population. For smaller populations, a database table containing UINs or UUIDs for eligible users is adequate. For larger populations, services typically grant or deny access to the user based on data or attributes that user possesses.

The Enterprise Directory contains basic affiliation data about NetID account holders that can be used by service providers to authorize users wanting to access their services.

Deciding what to use

Below is a matrix to assist you in determining what infrastructure services you should use based on the population your intended users fall into and the functionality you would like to delegate to infrastructure systems.

Decision matrix to determine which resource to use
Target Population Delegated Functionality Recommended Services/Resources
Texas A&M NetID account holders Authentication only CAS
Texas A&M NetID account holders plus Texas A&M System member institution affiliates not eligible for Texas A&M NetID account Authentication only Shibboleth via TAMUFederation
Texas A&M NetID account holders plus account holders at other higher education institutions Authentication only Shibboleth via InCommon Federation
Texas A&M NetID account holders Authentication plus
public user contact data pulled by service via anonymous bind to White Pages Directory
CAS
White Pages people attributes
Texas A&M NetID account holders Authentication plus
user authorization and/or contact data pushed to service at login
Shibboleth
Enterprise Directory people attributes
Data access request procedure
Texas A&M NetID account holders plus
Texas A&M System member institution affiliates not eligible for Texas A&M NetID account
Authentication plus
user authorization and/or contact data pushed to service at login
Shibboleth via TAMUFederation
Enterprise Directory people attributes (only TAMUFederation attributes will be available from all Identity Providers)
Data access request procedure
Texas A&M NetID account holders plus
account holders at other higher education institutions
Authentication plus
user authorization and/or contact data pushed to service at login
Shibboleth via InCommon Federation
Enterprise Directory people attributes (only InCommon Federation attributes will be available from all Identity Providers)
Data access request procedure
Texas A&M NetID account holders Authentication plus
user authorization and/or contact data pulled by service
CAS
Enterprise Directory people attributes
Enterprise Directory Search web service
Data access request procedure

InCommon Intermediate Certificates

The Texas A&M CAS service utilizes the InCommon Certificate Authority. The PEM-encoded, Intermediate CA certificate for InCommon certificates used in CAS can be downloaded below.

The legacy, SHA-1 signed InCommon CA certificate (CN=InCommon Server CA):
Download InCommon intermediate certificate.

The SHA384 signed InCommon CA certificate bundle (CN=InCommon RSA Server CA and CN=USERTrust RSA Certification Authority):
Download the InCommon SHA384 intermediate bundle.
The SHA384 signed InCommon CA certificate only (CN=InCommon RSA Server CA, Serial Number=47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74):
Download the InCommon SHA384 intermediate only.
The USERTrust RSA cross-signed Root CA certificate only (CN=USERTrust RSA Certification Authority, Serial Number=13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36):
Download the cross-signed USERTrust RSA certificate only.

A different PEM-encoded, Intermediate CA certificate is used for InCommon code-signing certificates and can be downloaded below.
Download InCommon code-signing intermediate certificate.